Hi, On Fri, Dec 30, 2022 at 05:25:41PM +0100, Tobias Frost wrote: > On Fri, Dec 30, 2022 at 04:14:25PM +0100, Salvatore Bonaccorso wrote: > > Hi Steinar, hi Tobias, > > > > On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote: > > > On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote: > > > > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote: > > > > > I was trying to triage this CVE and *maybe* those revisions are > > > > > related: > > > > > > > > > > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.") > > > > > r1894940 ("reindent (no functional change).") > > > > > r1894977 ("Follow up to r1894937: Fix setting of empty value.") > > > > > r1895054 ("Follow up to r1894937: Always eat CRLF at the end of > > > > > header value.") > > > > > > > > Perhaps it's best to remove libapreq2 entirely? I don't use nor > > > > maintain it > > > > anymore, it's been out of testing for a while, and there's this CVE. > > > > > > #ssh mirror.ftp-master.debian.org "dak rm -Rn libapreq2" > > > > > > Will remove the following packages from unstable: > > > > > > libapache2-mod-apreq2 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, > > > mips64el, mipsel, ppc64el, s390x > > > libapache2-request-perl | 2.13-7+b4 | amd64, arm64, armel, armhf, > > > i386, mips64el, mipsel, ppc64el, s390x > > > libapreq2 | 2.13-7 | source > > > libapreq2-3 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, mips64el, > > > mipsel, ppc64el, s390x > > > libapreq2-dev | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, > > > mips64el, mipsel, ppc64el, s390x > > > libapreq2-doc | 2.13-7 | all > > > > > > Maintainer: Steinar H. Gunderson <se...@debian.org> > > > > > > ------------------- Reason ------------------- > > > > > > ---------------------------------------------- > > > > > > Checking reverse dependencies... > > > # Broken Depends: > > > libapache2-authcassimple-perl: libapache2-authcassimple-perl > > > libapache2-sitecontrol-perl: libapache2-sitecontrol-perl > > > lua-apr: lua-apr > > > rapache: libapache2-mod-r-base > > > > > > # Broken Build-Depends: > > > libapache2-sitecontrol-perl: libapache2-request-perl > > > lua-apr: libapreq2-dev > > > rapache: libapreq2-dev > > > > > > Dependency problem found. > > > > > > ... and still theres a need to fix the CVE for stable (and also for > > > (E)LTS) > > > > > > (I'm currently take a look at 2.17, to see if I can get it packages, if > > > I'm succeeding, > > > there will be an NMU announcement :)) > > > > Upstream has still not clarified on > > https://www.openwall.com/lists/oss-security/2022/08/26/4 and given it > > was now out of bookworm, it might be wise that we actually sunset it > > for bookworm (including having the above reverse dependencies out of > > bookworm). > > > > Fixing stable and oldstable is then another story, and I still hope we > > get feedback from upstream on pinpointing the fixes. > > ACK, I will file a "not suitable for bookworm" bug, so that the new package > and r-depends won't migrate.
Thank you Tobi! > Lets hope that upstream answers… Regards, Salvatore